Skip to content

docs: add io_uring_* syscalls to seccomp significant syscalls table#24449

Open
dvdksn wants to merge 1 commit intomainfrom
fix/issue-23784-io-uring-seccomp
Open

docs: add io_uring_* syscalls to seccomp significant syscalls table#24449
dvdksn wants to merge 1 commit intomainfrom
fix/issue-23784-io-uring-seccomp

Conversation

@dvdksn
Copy link
Contributor

@dvdksn dvdksn commented Mar 20, 2026

Summary

  • Adds io_uring_enter, io_uring_register, and io_uring_setup to the significant syscalls blocked by Docker's default seccomp profile table
  • These syscalls were removed from the default allowlist in seccomp: block io_uring_* syscalls in default profile moby/moby#46762 due to security vulnerabilities that can be exploited to break out of containers
  • Entries are inserted alphabetically (after iopl, before kcmp)

Test plan

  • Verify the table renders correctly at /engine/security/seccomp/
  • Confirm the three new rows appear in alphabetical order

Fixes #23784

@dvdksn
docs: add io_uring_* syscalls to seccomp significant syscalls table
142b14c 
The io_uring_enter, io_uring_register, and io_uring_setup syscalls were
removed from Docker's default seccomp allowlist in moby/moby#46762 due
to security vulnerabilities that can be exploited to escape containers.
Add them to the significant blocked syscalls table.

Fixes #23784
@netlify
Copy link

netlify bot commented Mar 20, 2026
edited
Loading

Deploy Preview for docsdocker ready!

Name Link
🔨 Latest commit 142b14c
🔍 Latest deploy log https://app.netlify.com/projects/docsdocker/deploys/69bd5f4c41472e00080a3356
😎 Deploy Preview https://deploy-preview-24449--docsdocker.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-actions github-actions bot added area/engine Issue affects Docker engine/daemon area/security labels Mar 20, 2026
docker-agent[bot]
docker-agent bot reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

@docker-agent docker-agent bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR correctly adds three io_uring_* syscalls to the seccomp blocked syscalls table. The changes are:

  • Factually accurate: The syscalls were indeed blocked in moby/moby#46762 for security reasons
  • Well-formatted: Entries are alphabetically ordered and consistent with existing table format
  • Properly documented: Each entry links to the upstream PR for context
  • Style-compliant: No hedge words, meta-commentary, or other style guide violations

The documentation clearly explains why these syscalls are blocked (security vulnerabilities that can lead to container breakout), which helps users understand the security posture.

No issues found. ✅

@dvdksn dvdksn requested a review from a team March 20, 2026 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docker-agent docker-agent[bot] docker-agent[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/engine Issue affects Docker engine/daemon area/security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Please add io_uring to the list of significant syscalls blocked by the default profile

1 participant

@dvdksn